Single Sign On (SSO)

Updated December 03, 2018 21:35

Visiting non-official EVE Online web sites may prompt users to log in using their EVE Online account credentials. This can cause concern for their account security. However, it is possible that the web site is using the EVE Online Single Sign On (SSO). The SSO allows users to submit their account information securely to the EVE Online login server and for the web site to receive confirmation that the player owns a specific character.

There are some important points to consider when prompted to submit the account credentials when visiting a non-official CCP site:

Users should ensure that the site which requests the log in information is secure. In order to determine the site is secure, please see the 'How to use the SSO in a secure way' section below.

Using an authentic SSO means that the web site will not see the account credentials (Username or Password). The SSO will only confirm if an account holds a character.

If there is any doubt about the security or authenticity of a website, users should not enter any account information. Any suspicious sites should be reported to security@ccpgames.com

More detailed information about the SSO can be found in the article below.

What is the SSO?

The SSO, also known as single-sign-on, is a way to log into one web site or application using a username and password from another web site.

For example, https://www.goodreads.com/ will request to sign in with Facebook, Twitter, Google, or even Amazon. For Goodreads this is great because it means they don't have to worry about managing registered username and password information. It also has the nice advantage of making it a lot easier to sign into their site without registration or keep track of multiple extra account names and passwords.

For EVE Online, the SSO means logging into a web site that has integrated the EVE SSO and can confirm a specific character. While signing into a site, a character will be chosen to authenticate and the web site allow EVE SSO to get confirmation from CCP that verifies the character ownership.

The original web site will only get the character information. They will never see the account name or password. The original web site will not know on which account that character is or have any way of linking that character to any other character on the same account.

The SSO looks something like this:

How to use the SSO in a secure way

SSO system, by nature, is the guard at the gates. In our case it guards who is able to access the virtual identity. Sadly, the internet is full of fraudsters lingering around and waiting for a chance to make a profit or gain some benefits and they are happy to do this any way imaginable. They try to trick people into giving them their account credentials with the help of social and technical measures including phishing and spoofing of authorities as well as web portals.

That being said, what is the best way to use the SSO in a secure way? Luckily, nowadays tools and technologies provide us with plenty of information about trust relationships and communication security. Utilizing this information, we are able to tell if we are being targeted by an attack or not. In the case of our SSO this looks like follows.

Validate secure connection to the correct web resource before entering any credentials

There is only one legitimate domain and host name combination for our SSO which is login.eveonline.com. Also make sure the connection is via https: (note the “s”) and never enter any credentials over plain text and unauthenticated http: connections.

Verify that the connection is securely encrypted and authenticated

This is an example of the verification dialog displayed by clicking the small lock icon to the left of the URL bar in a Chrome browser. Every modern browser provides this or a similar brief overview which allows verification of the trust relationship of the SSO connection and the security level of the encryption which is applied.

Manual verification of the certificate

By manually verifying the certificate of the web resource connection, the certificate validation can be conducted for the domain it is used and its expiration.

Finally

Following these recommendations, it is possible to reduce the risk of account credentials being stolen. Also, we encourage to report any misleading, bogus or questionable usage of our SSO to security@ccpgames.com.